Bug#558784: Isn't this a security problem?

To: 558784@bugs.debian.org
Subject: Bug#558784: Isn't this a security problem?
From: Torsten Landschoff <t.landschoff@gmx.net>
Date: Sat, 12 Jun 2010 00:03:30 +0200
Message-id: <[🔎] 20100611220330.GA6663@merzeus.obrandt.org>
Reply-to: Torsten Landschoff <t.landschoff@gmx.net>, 558784@bugs.debian.org

I would consider this to be a critical issue as it could become a security
problem.

Let's assume an archive key is compromised. As an admin reading this on
some information channel (irc, twitter, lwn.net, whatever) I would just
remove the key as shown by Tollef.

Only by reading this bug report I do know now that this plainly would not
work. Instead apt-key will reenable this key given any chance.

That sound to me like reenabling a root account or password authentication
for ssh style, something that should be up to the admin to decide. Having
a system override such a decision against me as the admin sounds like a
nightmare to me, something I would not accept from a trusted Debian system.

So, does this bug still apply?

Greetings, Torsten

Reply to:

Follow-Ups:
- Bug#558784: Isn't this a security problem?
  - From: David Kalnischkies <kalnischkies+debian@gmail.com>

Prev by Date: Bug#433624: marked as done (apt: please allow release pinning for suite and codename fields)
Next by Date: Pozdravy a komplimenty.
Previous by thread: Bug#433624: marked as done (apt: please allow release pinning for suite and codename fields)
Next by thread: Bug#558784: Isn't this a security problem?
Index(es):
- Date
- Thread